design1-service

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's Phase 1b "Ecosystem Import" (SKILL.md) explicitly accepts arbitrary HTTPS URLs (including GitHub/raw) and uses WebFetch to fetch and parse ecosystem.yaml and companion markdown files, extracting names and credential IDs that directly drive requirement derivation and file-writing decisions, thus exposing the agent to untrusted third-party content that could influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). This skill explicitly fetches user-provided HTTPS YAML URLs at runtime (e.g., converted GitHub blob URLs to raw URLs such as https://raw.githubusercontent.com/{owner}/{repo}/main/docs/ecosystem.yaml) via WebFetch and parses/imports ecosystem.yaml and companion markdown files into the agent context to drive its prompts, requirements derivation, and generated outputs, so the fetched remote content can directly control the agent's behavior.